But you do have a lot of information that could let bad guys steal identities of your students and fellow employees. Security should be on by default with you only letting a known set of people have access to what they need, although sadly very few people understand that. Citrix isn't a VPN. A real VPN would give you some level of internal network access remotely so that you could setup Outlook to access the Exchange server, provided that was part of the network access that's granted. That and the fact that they mentioned POP3 when you said Outlook Anywhere makes me lean towards them being incompetent and not just blowing smoke up your ass to make you go away.